Best Practices: The 2004 Global Information Security Survey

Best Practices: The 2004 Global Information Security Survey

"It is a capital mistake," Sherlock Holmes told Watson, "to theorize before one has data. One begins to twist facts to suit theories, instead of theories to suit facts."

Not to worry, Holmes. We have a passel of data. For the second consecutive year, CSO, CIO (our sister publication) and PricewaterhouseCoopers teamed up to deconstruct information security through the

largest security research project ever donethe "2004 Global Information Security Survey," with 8,100 respondents from 62 countries on six continents.

In our 2003 survey (to see the 2003 survey, go to, we noted that the infosecurity discipline had grown but had not really improved. This year, we found that the security function didn't really grow but did, in fact, improveat least incrementally. For example:

n Despite flat levels of spending, few new human resources being devoted to infosecurity, and the fact that the number of breaches was slightly up from last year, those breaches caused less downtime and cost less when they did occur. We believe this means that incidents are being better managed.

n More companies (although still far from a majority) have created an executive-level security presence, and more have included risk management, audit and other non-IT elements in their security governance.

n Last year's barriers to good securitybudgets and timewere still cited this year as the most common obstacles, although fewer companies said those issues prevented them from getting the job done.

That's progress, and that's the good news. There is, of course, bad news. For example:

n Information security professionals in large part did not execute this year what they said last year were their top strategic priorities.

n Negative factors (such as fear of litigation) remain the primary drivers of security spending. Positive factors (such as contributing to business objectives) were less common.

n The attitude among security professionals toward critical infrastructure, regulation and working with the authorities after incidents can best be described as laissez-faire, maybe even lackadaisical.

As fond as the IT industry is of declaring revolutions, the information security part of IT resists such drama. This year's data reinforces the view that security remains a discipline, adapting itself over time to a harsh environment of threats and vulnerabilities.

On the following pages we will offer selected perspectives on that evolution, starting with a set of best practices gleaned from our respondents.

Now that you have the data, it would be a capital mistake not to tailor your theories to suit the facts.

I. The Best Practices Group and the Virtuous Cycle

We've defined a small groupabout one-fifth of respondentsthat described itself as "very confident" in the effectiveness of its information security practices. This group has earned the right to be confident. Collectively, while those respondents reported more security incidents, they experienced less downtime and fewer financial losses than the average respondent. This is just one of the reasons they are the Best Practices Group. (See "Why the Best Practices Group Is Best," this page.)

Behind the Numbers

In last year's data, we uncovered what we called "The Confidence Correlation"in which enterprises that expressed confidence in their security were, in fact, more secure. This year, the trend was even more pronounced.

The Best Practices Group may have suffered more incidents than the average respondent, but those incidents didn't precipitate more damage or downtime. Indeed, the Best Practices Group suffered less of each despite being targeted more often.

That higher number of reported incidents can be attributed to two facts. First, these tended to be larger companies, and larger companies are targeted more by the bad guys. Second, the Best Practices Group generally had a more comprehensive security infrastructure, which gave it more visibility into what was happening on its networks.

We know the Best Practices Group had better security, because the survey asked respondents what security and privacy safeguards their companies had in place. And for every single one of the 84 safeguards listed, the Best Practices Group was more likelysometimes by a wide marginthan the average respondent to have put it in place.

The organizations with high confidence in their security created a virtuous cycle. They do a better job securing their infrastructure, which breeds confidence in the enterprise (especially in the executive ranks), and that confidence translates into support that manifests itself in resources. Greater resources means the Best Practices Group can improve security, which breeds more confidence. Voilàa virtuous cycle. (See "The Virtuous Cycle)

What We Think

It's good to be confident. It's better to have good reason to be confident. Here's a to-do list that we believe will help you work your way into the Best Practices Group.

1. Spend more. U.S. respondents said infosecurity accounts for less than 9 percent of their IT budgets. (Globally, it's 11 percent.) The Best Practices Group claimed 14 percent.

2. Separate information security from IT and then merge it with physical security. These disciplines can either exist under a single CSO or as separate entities governed by an executive security committee.

3. Do the following four tasks, one each quarter, over the course of the next year:

n Conduct a penetration test to patch up network and application security. (The Best Practices Group was 60 percent more likely to do this than the average respondent.)

n Perform a complete security audit to identify threats to employees and intellectual property. (The Best Practices Group did this far more often than the average respondent.)

n Create a comprehensive risk assessment process to classify and prioritize threats and vulnerabilities. (The Best Practices Group was 50 percent more likely to do this.)

n Define your overall security architecture and plan from the previous three steps. (Two-thirds of the Best Practices Group did this as opposed to only half of the respondents overall.)

4. Establish a quarterly review process, with metrics (for example, employee compliance rates) to measure your security's effectiveness. This will help you to use your increased resources more efficiently.

And eventually, you'll get locked into that virtuous cycle.

II. Damage Report

The number of incidents was up and security spending was flat. Yet, damages to the enterprise were down. That leads to a remarkably sunny conclusion: We're getting better at managing security incidents. (See "Incidents Up, Damages Down," Page 35)

Behind the Numbers

Nothing in last year's survey results indicated that the virus problem would ebb. The number of viruses big enough to make the newsincluding nasties like the Sasser wormwas constant. Critical patches for your software came in predictable, frequent waves. And the time between the announcement of a vulnerability and the attack that exploited it was shrinking from several months to, in the case of Sasser, 18 days.

That's why it's so surprising and heartening to report that while the bad stuff keeps coming, one-third of respondents who were hit by security breaches reported zero downtime, and one-third also reported zero financial damages. Overall, both downtime and damages were lower this year than last. (The slight uptick in the percentage of respondents who couldn't quantify damages bears monitoring.)

Last year, we characterized the breach problem as more of a nuisance (albeit an expensive and unpleasant one) than a radical threat to the stability of businesses. It was a nasty flu, not a terminal disease.

This year's data indicates that information security executives are learning to treat their colds and remembering that an ounce of prevention is worth a pound of cure.

What We Think

The Boy Scouts were right. Be prepared. The survey reveals two security practices that we believe explain the improved management of incidents.

First, disaster recovery and incident planning. Fifty-four percent of our respondents designed or improved their existing disaster recovery and business continuity plans in 2004. Thirty-eight percent of respondents this year defined a crisis or incident response strategy, and that percentage rose with company size. Among the biggest companies (revenue of $25 billion or more), 68 percent defined a crisis or incident response strategy.

Second, a strong focus on end user education. More than half of all respondents cited it as one of their practices.

When information security teams are prepared for incidentsand when end users know how to behavedamage will be minimized.

III. Missed Goals, Missed Opportunities

Last year, our respondents named the following as their strategic security goals for 2004. This year's survey indicates that those goals were often not met.

Behind the Numbers

Call this the priority gap. What you identified last year as a priority and what you actually did about it fails to sync up. It's not even close. Out of 30 security priorities (the top 17 are listed in "Missing the Mark," right) named in operations and technology in 2003, execution fell short of ambition in 28 instances. More disturbing is the fact that the only two priorities from the 2003 survey that were implemented to a greater degree than planned involved firewalls.

Security professionals turn to firewalls when they want their nonsecurity-savvy bosses to feel secure. Deploying firewalls makes it look like the security team is doing something. This is important in a discipline where, when things are going well, nothing happens.

"Deploying a firewall is actionable," says Javed Ikbal, CISO of Omgeo, a financial services company. "Also, it's easier to define and secure the perimeter than to deal with more complex threats like social engineering."

In order to be effective, firewalls and other log-based security (such as intrusion detection) require highly refined operational procedures (such as audits and monitoring)the kind of thing that was rarely implemented this year.

The survey does not reveal why you may not have gotten to last year's priorities. Time didn't seem to present a problem. In 2003, nearly half of all respondents listed "limited or no time to focus on security" as a "barrier to good security." But in 2004, that dropped to just one-third. What's more: Most other obstacles, including insufficient security awareness and the lack of upper management buy-in, also dropped significantly.

It could have been a human resources issue. Understaffing (at 44 percent) rose to the second most frequently cited obstacle. The most commonly cited barrier was, as always, money. (Although, that dropped from 64 percent of respondents citing it in 2003 to 57 percent this year.)

Ikbal sees a series of factors contributing to the priority gap: "These tasks are unpleasant, and people will put them off if they can. They're afraid to know what they'll find out. [Then] they do find out, but they don't have the resources to fix what they found is broken."

So, they fall into the gap.

What We Think

Develop an enterprisewide strategic security plan. Why? It will make it easier to attack the security problem in an organized fashion rather than responding to the shifting winds of crisis and need.

In order to develop such a broad plan, though, you need to do audits, penetration tests and risk assessments. And only about one in four respondents did these during the past year. Of course they weren't meeting their priorities. Without a plan, they may not even have remembered what their priorities were.

The Best Practices Group did not suffer a priority gap nearly as wide as the average respondent. In eight categories (out of 30), the Best Practices Group's 2004 implementation numbers equaled or surpassed their 2003 plans. Among those eight categories were: obtaining top management buy-in, integrating physical and information security, and, yes, developing an enterprisewide security strategy.

This stuff is basic. The only way to bridge the gap is to start doing it on an ongoing, regularly scheduled basis.

IV. Kicking the Fox out of the Henhouse

When a business need (for example, maximizing revenue on an e-commerce site) conflicts with a security need (for example, installing the complex passwords that will make the site secure but may also discourage customers), and it's IT's job to enable the business while securing the technology, security generally suffers. This is the proverbial fox-in-the-henhouse problem. Therefore, an emerging best practice is to give the fox a new house, away from the hens. (See "Bye-Bye Fox," this page.)

Behind the Numbers

Security is getting a big dose of governance. Last year, only 15 percent of respondents said they'd created a CSO or CISO position; that leaped to 31 percent this year. What's more: The implementation of centralized security management systems nearly quadrupled year over year, from 11 percent to 39 percent.

All of that means that security received both more attention and less skepticism from other executives. And, indeed, the lack of executive buy-in, which CSOs cited as a barrier to good security, dropped from 27 percent in 2003 to 20 percent this year.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)